System and method for usage billing of hosted applications

ABSTRACT

A system, method, and computer readable medium for usage billing of one or more hosted applications serving one or more clients. The hosted applications are contained within one or more isolated environments or run without isolated environments. The system may include usage billing based on one or more of resources open, amount of data flowing through resources, number of open files, number of transactions, number of concurrent users, number of processes, CPU utilization and memory usage, The system may further include a management interface where administrators may add, remove and configure isolated environments, configure client policies and credentials, and force upgrades. If using isolated environments, the isolated environments may be isolated from other applications and the host operating system on the clients and applications within the isolated environments may run without performing an application-installation on the client.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation and claims priority from U.S.application Ser. No. 15/424,795 filed on Feb. 4, 2017 titled SYSTEM ANDMETHOD FOR USAGE BILLING OF HOSTED APPLICATIONS, now issued U.S. Pat.No. 9,710,798, issued Jul. 18, 2017, which is a continuation and claimspriority from U.S. application Ser. No. 14/720,804 filed on May 24, 2015titled SYSTEM AND METHOD FOR USAGE BILLING OF HOSTED APPLICATIONS, nowissued U.S. Pat. No. 9,563,883, issued Feb. 7, 2017, which is acontinuation and claims priority from U.S. application Ser. No.14/458,917 filed on Aug. 13, 2014 titled SYSTEM AND METHOD FOR USAGEBILLING OF HOSTED APPLICATIONS, now issued U.S. Pat. No. 9,058,600,issued Jun. 16, 2015, which is a continuation of U.S. application Ser.No. 14/159,884 filed on Jan. 21, 2014 titled SYSTEM AND METHOD FOR USAGEBILLING OF HOSTED APPLICATIONS, now issued U.S. Pat. No. 8,818,886issued on Aug. 26, 2014, which is a continuation of U.S. applicationSer. No. 13/844,853 filed on Mar. 16, 2013 titled SYSTEM AND METHOD FORUSAGE BILLING OF HOSTED APPLICATIONS, now issued U.S. Pat. No. 8,639,599issued on Jan. 28, 2014, which is a continuation of U.S. applicationSer. No. 12/851,639 filed on Aug. 6, 2010 titled SYSTEM AND METHOD FORUSAGE BILLING OF HOSTED APPLICATIONS, now U.S. issued U.S. Pat. No.8,401,940 issued on Mar. 19, 2013, which is a continuation-in part andclaims priority from U.S. application Ser. No. 12/813,593 filed on Jun.11, 2010 titled SYSTEM AND METHOD FOR APPLICATION ISOLATION WITH LIVEMIGRATION, now issued U.S. Pat. No. 8,539,488 issued on Sep. 17, 2013,which is a continuation-in-part of U.S. application Ser. No. 12/421,691filed on Apr. 10, 2009 titled SYSTEM AND METHOD FOR APPLICATIONISOLATION, now issued U.S. Pat. No. 8,341,631 issued on Dec. 25, 2012,each of which are incorporated herein by reference in their entirety.This application is related to the following commonly assignedapplications: U.S. patent application Ser. No. 12/813,618 filed on Jun.11, 2010 titled SYSTEM AND METHOD FOR HIERARCHICAL INTERCEPTION WITHISOLATED ENVIRONMENTS, now issued U.S. Pat. No. 8,464,256 issued on Jun.11, 2013, is related to U.S. patent application Ser. No. 12/421,692filed on Apr. 10, 2009 titled SYSTEM AND METHOD FOR APPLICATIONISOLATION, now issued U.S. Pat. No. 8,904,004 issued on Dec. 2, 2014, isrelated to U.S. patent application Ser. No. 12/421,694 filed on Apr. 10,2009 titled SYSTEM AND METHOD FOR APPLICATION ISOLATION, now issued U.S.Pat. No. 8,782,670, issued on Jul. 15, 2014, is related to U.S. patentapplication Ser. No. 12/839,576 filed on Jul. 20, 2010 titled SYSTEM ANDMETHOD FOR STREAMING APPLICATION ISOLATION now issued U.S. Pat. No.8,418,236 issued on Apr. 9, 2013, is related to U.S. patent applicationSer. No. 12/839,610 filed on Jul. 20, 2010 titled SYSTEM AND METHOD FORCACHED STREAMING APPLICATION ISOLATION, is related to U.S. patentapplication Ser. No. 12/839,673 filed on Jul. 20, 2010 titled SYSTEM ANDMETHOD FOR ON-LINE AND OFF-LINE STREAMING APPLICATION ISOLATION nowissued U.S. Pat. No. 8,555,360 issued on Oct. 8, 2013, each of which areincorporated herein by reference in their entirety.

NOTICE OF MATERIAL SUBJECT TO COPYRIGHT PROTECTION

A portion of the material in this patent document is subject tocopyright protection under the copyright laws of the United States andof other countries. The owner of the copyright rights has no objectionto the facsimile reproduction by anyone of the patent document or thepatent disclosure, as it appears in the United States Patent andTrademark Office publicly available file or records, but otherwisereserves all copyright rights whatsoever. The copyright owner does nothereby waive any of its rights to have this patent document maintainedin secrecy, including without limitation its rights pursuant to 37C.F.R. § 1.14.

BACKGROUND OF THE INVENTION 1. Field of the Invention

This invention pertains generally to enterprise computer systems,computer networks, embedded computer systems, wireless devices such ascell phones and PDAs, computer systems, and more particularly tomethods, systems and procedures (i.e., programming) for providingapplication isolation for multiple applications running on a hostoperating system and for providing usage billing for applicationsrunning within the isolated environments. The invention further providesapplication usage billing for applications running within a “cloudcomputing” or “hosted environment” with or without isolatedenvironments.

2. Description of Related Art

In many environments one of the most important features is to ensurethat one running application doesn't affect other running applications,and that the crash of one application doesn't compromise other runningapplications. In many environments applications share system resources,libraries and hardware, which expose subtle interconnects betweenseemingly unrelated applications.

Several approaches have been developed addressing this fundamentalproblem. The first level of application isolation is provided by theoperating system. Modern operating systems such as Linux, UNIX,Windows2000, NT, XP and Vista provide some level of applicationisolation through the use of processes, and the underlying hardwarememory management unit. The use of processes generally ensure than onerunning application process cannot address memory owned by otherprocesses. This first level of isolation does not address the use ofshared resources, such as files, file systems, shared memory, andlibraries, so other approaches have been developed.

The present invention builds on the teachings in U.S. application Ser.No. 12/813,593 wherein Havemose teaches “SYSTEM AND METHOD FORAPPLICATION ISOLATION WITH LIVE MIGRATION”, and U.S. application Ser.No. 12/813,618 wherein Havemose teaches “SYSTEM AND METHOD FORHIERARCHICAL INTERCEPTION WITH ISOLATED ENVIRONMENTS” collectivelyidentified as “Havemose” throughout the disclosures. Havemose disclosessystem and methods for creating and maintaining isolated environmentswherein applications can be installed and run without interfering withany other applications on the host system. Havemose further disclosessystem and methods for creating isolated environments and for the use ofpre-created isolated environment as “installation-free” images that canrun on a client without requiring direct application installation on theclient, and systems for hierarchical interception. Havemose teaches anapproach that works on commodity operating system using off-the-shelfapplications. Havemose was incorporated herein by reference in itsentirety above.

In a “Cloud computing” environment, where resources and applications aredynamically assigned and accessed remotely a related challenge is one ofcharging for the use of the application. Historically, applications werepurchased by a corporation, installed in the company's datacenter andmanaged by in-house IT staff. With the shift to cloud computing, theapplications are hosted somewhere in the internet “cloud” and accessedremotely. The actual end-user or the end-user's IT group are typicallynot responsible for installing, hosting, and maintaining theapplication.

A variety of approaches have been designed to manage billing forapplication use. Historically software was purchased and paid for onceand keep updated using an annual maintenance contract. With the move tohosted applications, the hosting provider needs a flexible way to do“usage billing” where the user pays based on actual use patterns.Existing billing-mechanisms are often either fixed one-time licenses asjust described, or require custom applications, custom operatingsystems, or custom hardware.

In U.S. Pat. Nos. 5,047,928 and 5,155,680 Wiedmer teach “Billing Systemfor Computer Software” and “Billing System for Computing Software”respectively. The teachings rely on a combination of algorithms andcustom hardware security and billing modules. The billing modules arereplaced periodically and the billing information is read from thebilling module. In a typical cloud environment requiring custom hardwareand replacement of modules to do billing is impractical and not wellsuited to hosting in a datacenter. Furthermore the teachings do notaddress usage billing.

In U.S. Pat. No. 5,235,290 Cauffman et al teach “Billing System withData Indexing”. The teachings describe a pre-processing mechanism tofacilitate display, under the control of a service customer, forservices rendered to a customer. The teachings do not disclose steps forcollection of usage billing information or the use in a cloud computingenvironment, only a pre-processing step for displaying the results.

In U.S. Pat. No. 5,386,369 Christiano teach “License Metering System forSoftware Applications”. The teachings rely on a hardware dongle as“metering device” and disclose various techniques to ensure that theapplication metering data is accurately stored, and cannot easily belost due to hardware failures. The teachings do not address the actualmetering mechanics, the use within the context of cloud computing orapplication isolation.

In U.S. Pat. No. 5,708,709 Rose teach “System and Method of managingtry-and-buy usage of application programs”. The teachings focus onensuring that a user only can run applications properly licensed using acombination of encryption and verification. The teachings do not addresscollecting usage billing information or application isolation.

Therefore, in many systems, providing usage billing of hostedapplications requires one or more of customized operating systems,customized applications, and proprietary billing infrastructureFurthermore, the above cited references do not include or addressapplication isolation. Hence, there is a need for systems and methodsthat combine application isolation with usage billing of hostedapplications running on commodity operating systems such as Windows andLinux

BRIEF SUMMARY OF THE INVENTION

The present invention provides a system and methods for usage billing ofone or more hosted applications. The one or more applications arepre-configured inside one or more isolated environment and the isolatedenvironments are hosted on one or more central servers. The teachings ofHavemose work on commodity operating systems, such as Windows and Linux,and work with standard “off the shelf” applications; no customizationsof operating system or applications are required, and no virtualmachines, virtual file system or any other proprietary protocols areneeded. The isolated environments with said one of more applications areaccessed remotely or locally and clients can run said one or moreapplications without ever performing a local installation. Usage billinginformation is collected for said one or more applications and collectedand aggregated for billing purposes. In one embodiment an implementationin the Linux environment is disclosed, in another embodiment animplementation on Windows is disclosed. In yet another embodiment, animplementation of usage billing without isolated environments isdisclosed.

Another aspect of the present invention is the fine granularity on whichusage billing is provided. Examples include billing based on applicationtime used, application memory used, number of open files, number oftransactions, amount of air-time, and a variety of other metrics. Yetanother aspect of the present invention is a flexible event drivenbilling aggregator providing summary billing information for each chosenevent type.

Yet other aspects of the present invention are a two-way authenticationsubsystem and encryption of communication data. The streaming server isauthenticated by clients before they accepting any streaming data, andclients likewise are authenticated against pre-defined credentialsbefore the streaming servers delivers any isolated environments orupdates.

A user of the client computer can run the application without needing toinstall or configure the application; the user runs the application aspre-configured and provided on the streaming server. The presentteachings require no special virtual file systems, proprietary streamingprotocols, or any other proprietary protocols.

DEFINITIONS

The terms “Windows” and “Microsoft Windows” is utilized hereininterchangeably to designate any and all versions of the MicrosoftWindows operating systems. By example, and not limitation, this includesWindows XP, Windows Server 2003, Windows NT, Windows Vista, WindowsServer 2008, Windows 7, Windows Mobile, and Windows Embedded.

The terms “Linux” and “UNIX” is utilized herein to designate any and allvariants of Linux and UNIX. By example, and not limitation, thisincludes RedHat Linux, Suse Linux, Ubuntu Linux, HPUX (HP UNIX), andSolaris (Sun UNIX).

The term “node” and “host” are utilized herein interchangeably todesignate one or more processors running a single instance of anoperating system. A virtual machine, such as VMWare, KVM, or XEN VMinstance, is also considered a “node”. Using VM technology, it ispossible to have multiple nodes on one physical server.

The terms “application” is utilized to designate a grouping of one ormore processes, where each process can consist of one or more threads.Operating systems generally launch an application by creating theapplication's initial process and letting that initial processrun/execute. In the following teachings we often identify theapplication at launch time with that initial process.

The term “application group” is utilized to designate a grouping of oneor more applications.

In the following we use commonly known terms including but not limitedto “client”, “server”, “API”, “java”, “process”, “process ID (PID)”,“thread”, “thread ID (TID)”, “thread local storage (TLS)”, “instructionpointer”, “stack”, “kernel”, “kernel module”, “loadable kernel module”,“heap”, “stack”, “files”, “disk”, “CPU”, “CPU registers”, “storage”,“memory”, “memory segments”, “address space”, “semaphore”, “loader”,“system loader”, “system path”, “sockets”, “TCP/IP”, “http”, “ftp”,“Inter-process communication (IPC), “Asynchronous Procedure Calls (APC),“POSIX”,” and “signal”. These terms are well known in the art and thuswill not be described in detail herein.

In the following we use commonly known terms from computer security andencryption including, but not limited to “certificate”, “certificateauthority”, “Secure Socket Layer”, “SSL”, MD-5”, “MD-6”, “MessageDigest”, “SHA”, “Secure Hash Algorithm”, “NSA”, “NIST”, “private key”,“public key”, “key pair”, and “hash collision”. These terms are wellknown in the art and thus will not be described in detailed herein.

The term “transport” is utilized to designate the connection, mechanismand/or protocols used for communicating across the distributedapplication. Examples of transport include TCP/IP, Message PassingInterface (MPI), Myrinet, Fibre Channel, ATM, shared memory, DMA, RDMA,system buses, and custom backplanes. In the following, the term“transport driver” is utilized to designate the implementation of thetransport. By way of example, the transport driver for TCP/IP would bethe local TCP/IP stack running on the host.

The term “interception” is used to designate the mechanism by which anapplication re-directs a system call or library call to a newimplementation. On Linux and other UNIX variants interception isgenerally achieved by a combination of LD_PRELOAD, wrapper functions,identically named functions resolved earlier in the load process, andchanges to the kernel sys call table. On Windows, interception can beachieved by modifying a process' Import Address Table and creatingTrampoline functions, as documented by “Detours: Binary Interception ofWin32 Functions” by Galen Hunt and Doug Brubacher, Microsoft ResearchJuly 1999″. Throughout the rest of this document we use the terminterception to designate the functionality across all operatingsystems.

The term “file context” or “context” is used in relation with fileoperations to designate all relevant file information. By way ofexample, and not limitation, this includes file name, directory,read/write/append/execute attributes, buffers and other relevant data asrequired by the operating system.

The term “transparent” is used herein to designate that no modificationto the application is required. In other words, the present inventionworks directly on the application binary without needing any applicationcustomization, source code modifications, recompilation, re-linking,special installation, custom agents, or other extensions.

The terms “private and isolated environment” and “isolated environmentIE)” are used herein interchangeably to designate the private area setaside for application isolation, as described in Havemose. Theabbreviation IE is used to designate an isolated environment on thediagrams and throughout the text.

The Term “Isolated Environment Infrastructure (IEI)” is used herein todesignate the entire isolated environment infrastructure as disclosed inHavemose. It's comprised of shared libraries, a series of interceptorsand other configuration information is described in the cited reference.Details of IEI will not be further described herein.

The terms “Cloud Computing”, “Software as a service (SaaS)”, “UtilityComputing”, and “Hosted Applications” are used herein interchangeably todesignate a deployment model where applications are hosted centrally,often off-site, and accessed remotely. Typically, the applications arehosted and managed by an independent company and the end-user pays toaccess the software services.

The term “usage billing” is used herein to designate that the user of anapplications pays to use the application based on one or more metrics.Possible metrics include, but are not limited to: time used, storageused, number of open files, number of records in a database, and numberof times the application has been launched.

Further aspects of the invention will be brought out in the followingportions of the specification, wherein the detailed description is forthe purpose of fully disclosing preferred embodiments of the inventionwithout placing limitations thereon.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

The invention will be more fully understood by reference to thefollowing drawings which are for illustrative purposes only:

FIG. 1 is a block diagram of the core system architecture showing threeclients and the IE Streaming Server

FIG. 2 is a block diagram illustrating the Isolated EnvironmentStreaming Server

FIG. 3 is a block diagram illustrating Client Systems

FIG. 4 is a block diagram illustrating establishing a secure andcredentialed connection between a client and the IESS

FIG. 5 is a block diagram illustrating establishing client credentials

FIG. 6 is a block diagram illustrating creating the list of credentialedIEs for a client

FIG. 7. is a block diagram illustrating the client policy manager

FIG. 8. is a block diagram illustrating client synchronization againstthe IESS

FIG. 9 is a block diagram illustrating client operation in off-line andon-line modes

FIG. 10 is a block diagram illustrating administration

FIG. 11 is a block diagram illustrating the billing

FIG. 12 is a block diagram illustrating the local billing manager

FIG. 13 is a block diagram illustrating various deployment scenarios andthe central billing manager

DETAILED DESCRIPTION OF THE INVENTION

Referring more specifically to the drawings, for illustrative purposesthe present invention will be disclosed in relation to FIG. 1 throughFIG. 13. It will be appreciated that the system and apparatus of theinvention may vary as to configuration and as to details of theconstituent components, and that the method may vary as to the specificsteps and sequence, without departing from the basic concepts asdisclosed herein.

0. Introduction

The context in which this invention is disclosed is one or moreapplications installed inside isolated environments and hosted on an“Isolated Environment Streaming Server (IESS)” with the isolatedenvironments being streamed to one or more clients. The Havemosereference cited above, included in its entirety by reference, teachesthe creation and maintenance of the isolated environments. Usage billinginformation is collected by the Isolated Environment Infrastructure(IEI) present on all clients, and aggregated by a billing managersystem. Without affecting the general case of multiple applications, thefollowing scenarios often depict and describe one or two applications asapplicable. Multiple applications are handled in a similar manner.Similarly the following scenarios often depict one or two clients;multiple clients are handled in a similar manner. Similarly, thefollowing scenarios often depict one isolated environment per client;multiple isolated environments are handled in a similar manner.Similarly, the following scenarios often depict one IESS; multipleIESSes are handled in a similar manner. The term “client” is used onlyto designate that it's the recipient of the isolated environmentssteamed from the IESS. By way of example, the “client” may be a desktopworkstation, a server in a data center, or a virtual machine hosted onsome other server

1. Overview

FIG. 1 illustrates by way of example embodiment 1 the overall structureof the present invention. The following brief overview illustrates thehigh-level relationship between the various components; further detailson the inner workings and interdependencies are provided in thefollowing sections. FIG. 1. Illustrates by way of example embodimentthree client systems 10, 20, 30 and the Isolated Environment StreamingServer (IESS) 40. The client systems contain isolated environments (IE)and the “Client Credentials (CC)” governing the IESS access privilegesfor the particular client on the IESS. Also present on each client isthe core Isolated Environment Infrastructure (IEI) and operating systemand libraries. Specifically, Client-1 10 contains isolated environmentIE-1 12 with update-cache 13 and client credentials (CC) 18, IsolatedEnvironment Infrastructure (IEI) 14 and operating system and libraries16. Client-2 20 contains IE-2 22 with update-cache 23 and CC 28, LEI 24and operating system and libraries 26, while Client-3 30 contains IE-332 with update-cache 33 and CC 38, IEI 34 and operating system andlibraries 36.

Each client connects to the IESS 40 via the Client Policy Manager (CPM)42. The CPM validates the credentials and maintains an Account for eachcredentialed client. Associated with each Client Account is anupdate-cache used to optimize access to isolated environments enabledfor the particular client. Each client has one update-cache percredentialed IE. If a client account has access to two IEs, there arethus two update-caches for that particular client.

FIG. 1 illustrates by way of example the Client Policy Manager (CPM) 42with three client accounts: Account Client-1 44 with associatedupdate-caches 46, Account Client-2 48 with associated update-cache 50,and Account Client-3 52 with associated update-cache 54. By way ofexample, Client 1 is credentialed to use isolated environment IE-1 56and IE-2 58 and therefore has two update-caches 46, while Client 2 iscredentialed to use isolated environment 2 IE-2 58, and Client 3 iscredentialed to use isolated environment ‘n’ 62.

It is readily apparent to someone skilled in the art that thearchitecture extends to any number of clients, any number of isolatedenvironments on any one client, and to any number of pre-configuredisolated environments on the IESS.

2. IE Streaming Server (IESS)

FIG. 2 illustrate by way of example embodiment 80, the key functionalelements of the Isolated Environment Streaming Server IESS 82. Thefollowing brief overview only illustrate the key components, furtherdetails are given below. Loaded in memory 84 are the Client PolicyManager (CPM) 86 and the accounts and update-caches for active clients90. The isolated environments 92 available for streaming to client areloaded from either local disk 100 or networked storage 102, anddelivered to clients over the network 104 as determined by theupdate-caches 90

System resources, such as CPUs 98, I/O devices 96, Network interfaces 94and storage 100, 102 are accessed using the operating system 88. Devicesaccessing remote resources use some form of transport network 104. Byway of example, system networking 104 may use TCP/IP over Ethernettransport, Storage 100, 102 may use Fibre Channel or Ethernet transport,and I/O may use USB.

3. Client Architecture

FIG. 3 illustrate by way of example embodiment 120, the key functionalelements of a client system 122 within the context of the presentinvention. The following brief overview only illustrates the keycomponents; further details are given below. Loaded in memory 124 arethe applications within the isolated environments, IE-A 130 withupdate-cache 131, IE-B 132 with update-cache 133, and the ClientCredentials 134. The core Isolated Environment Infrastructure (IEI) asdefined above and in Havemose, is also loaded in memory.

System resources, such as CPUs 142, I/O devices 140, Network interfaces138 and storage 136 are accessed using the operating system 128. Devicesaccessing remote resources use some form of transport network 144. Byway of example, system networking 144 may use TCP/IP over Ethernettransport, Storage 136 may use Fibre Channel or Ethernet transport, andI/O 140 may use USB.

4. IE Stream Server Credentials and Secure Communication

To ensure secure and private communication the IESS most be properlycredentialed. By way of example, if personnel in HR want to interactwith the payroll system on the IESS and upload payroll information, theclient system used by the HR employee validates the credentials of theIESS before uploading sensitive payroll information. If the IESScredential validation fails, the client system disconnects and stopsinteracting with the IESS.

A related issue is security; ensuring that no malware of spyware getsdownloaded into the clients isolated environments. By requiring acredentialed IESS, there a no risks of connecting to a malware site bymistake as such connections would be refused by the isolated environmentinfrastructure without establishing any connection beyond the initialattempt to validate credentials.

Full IESS credentials are provided by a standard SSL certificate issuedby either a certificate authority or generated in-house. If the IESS isaccessed over the internet, a preferred implementation uses acertificate issued by a Certificate Authority. If the IESS only isaccessed via a private LAN, WAN or VPN, an in-house generatedcertificate would suffice, but a certificates issued by a CertificateAuthority equally works.

The present invention establishes the initial secure communication usingSecure Sockets Layer (SSL), a standardized technology widely availablein modern operating systems such as Windows and Linux. Open sourceimplementations of SSL include OpenSSL (www.openssl.org).

FIG. 4 illustrates by way of example embodiment 160 the initial stepsneeded to set up secure communication between a client and an IESS.

First a certificate for the IESS is generated. Generation of the IESScertificate only is needed when creating a new certificate, or when acertificate has expired. Generally, a certificate is valid for one ormore years if generated by a certificate authority. First a private andpublic key pair is generated 164. This is accomplished using commonlyavailable tools, such as ‘makekey’ provided by OpenSSL. In a preferredimplementation, the a certificate request is prepared (‘certreq’ inOpenSSL) with the public key and transmitted to the CertificateAuthority 162 together with information confirming the senders identity.The Certificate Authority generates a certificate 168 and delivers itback to the originator 166 and the certificate is installed on the IESS.In an alternate implementation, the certificate is self-generated usingone of the available tools, such as ‘testreq’ from OpenSSL. Thecertificate 168 is used to establish the credentials of the IESS byclients.

FIG. 4 further illustrates by way of example embodiment theestablishment of secure and encrypted communication between a client 170and the IESS.

The client initiates communication 174 with the IESS using SSL. Inresponse to the initial contact, the IESS 172 accepts the request forthe certificate 176 and delivers the certificate to the client. Theclient validates the certificate 180. Validation can take one of twoforms: in a preferred implementation the certificate is compared againsta local copy provided by the administrator as part of present invention,in an alternate implementation the certificate is validated againstknown and pre-approved certificate authorities. Modern operatingsystems, such as Linux and Windows, provide a mechanism to storepre-approved certificates. If the validation fails 182 the clientdisconnects 184 as the IESS is rogue, mis-configured, or has an invalidcertificate. If the certificate validates 183, the client proceeds 186and using SSL establishes secure and encrypted communication 188 withthe IESS.

The client is now ready to have its client credentials validated 190 bythe Client Policy Manager (CPM) within the IESS.

5. Validating Client Credentials with the Client Policy Manager

With possibly multiple isolated environments hosted on an IESS, properauthentication of clients is important. By way of example, if aparticular isolated environment contains a payroll software application,only clients with the proper credentials (generally personnel in humanresources) should have access to the payroll application. The ClientPolicy Manager (CPM) running on the IESS governs which clients haveaccess to which isolated environment. The specific client privileges areset by the system administrator and are implemented by the CPM.

The connection between client and IESS, as describe above, isestablished using SSL, and is therefore secure and encrypted. The clientonly needs the client account as its credentials. All IEs available to aparticular client are managed by the CPM and the key-pair needed forencryption is managed by SSL.

When a client wishes to use a particular application within an isolatedenvironment; the client makes a request to the Client Policy Manager(CPM) for access to the requested IE. The CPM validates the clientcredentials at two levels: first the client is validated as havingaccess to the IESS services, followed by validation of the client'scredentials for the requested IE.

FIG. 5 illustrates by way of example embodiment 200 a client 202 makinga request to run a particular IE. The CPM first validates 204 that theuser has access to the IESS, by consulting its built-in database ofapproved clients 206. The result of the client validation by CPM isreturned 207 to the client. If the client has invalid credentials 208,the session is terminated 224 and no further action is taken. If theclient has valid credentials 210, the credentials to access theparticular IE are validated 212. If the client is not credentialed toaccess the IE any future access attempts to the IE are eliminated 214.If the IE is installed on the client system, it is removed 218 and thesession is terminated 224. If the IE is not installed on the client, thesession terminates as there is no data or IE to remove. The IE isremoved for reasons of security and access control: if a credentialeduser has the rights to use a particular IE revoked, the possibility torun the IE must be removed. In continuation of the example, if theemployee in the payroll department transfers to benefits, the employeeis still credentialed, but should no longer have access to the payrollapplication.

If the client is credentialed to run the particular IE 216, the IE needsto be either installed or potentially updated. If the IE is notinstalled on the client 220, it is copied to the client environment, andthe IESS update-caches are updated to reflect the current state of theclient copy. If the IE already is installed on the client 222, theupdate-caches on IESS are queried and updates propagated as necessary.The caching and installation are described in more detail below.

When a client starts the present invention he is presented with a listof available IEs based on his credentials. FIG. 6 illustrates by way ofexample embodiment 240, a client obtaining the list of credentialedapplications and launching a chosen application. First the client iscredentialed 242 as described above. The client requests a list ofcredentialed IEs 244 and the CPM 246 responds with a list of IEsavailable and credentialed for the particular client. The list ispresented to the client 250. In a preferred embodiment the client ispresented with a graphical user interface 252 allowing the client tochoose from a list of credentialed applications 254 and starting theapplication directly by clicking either on the application name 254 orOK 260. The launch can be cancelled by selecting “Cancel” 258. Theclient can also force a refresh 256 of available IEs, thereby updatingthe IE list 254. In a preferred embodiment the most recently chosenapplication is automatically highlighted. By way of example, FIG. 6illustrates the scenario 254 with two credentialed applications(“Payroll” and “Benefits”) and one application no longer credentialed(“Investor Relations”). By selecting “Off-line” 257 the user indicatesno synchronization against the IESS and that the local already-installedIE should be run.

6. Client Policy Manager Architecture

The Client Policy Manager (CPM) within the IESS is the main contactpoint between clients and the IESS. The functionality of the CPM fall inseveral broad categories: 1) delivery of certificates to clients andestablishment of SSL, 2) general client account access, 3)administration, and 4) management and implementation of the cachingsubsystem. FIG. 7 illustrates by way of example embodiment 240, thearchitectural blocks of the CPM 242.

6.1 Certificates and SSL:

As disclosed previously, the IESS is credentialed by clients using a SSLcertificate. The certificate serves dual roles, as a mechanism for theclients to validate the identity of the IESS and by providing keys forsecure encrypted communication over SSL. Referring to FIG. 7 forillustrative purposes, the IESS certificate interface 244 is responsiblefor responding to certificate requests and to deliver them. The SSLinterface 246 is responsible for the IESS end of SSL. In modernoperating systems SSL is in general pre-defined to use certain portssuch as 443 and 442 for SSL certificates and https respectively. In apreferred implementation, the present invention uses different portsthat the default ports to avoid conflicts with web browsing and tominimize attacks. In an alternate implementation, the standard ports areused.

6.2 General Account Access:

As previously disclosed, the CPM 242 provides a number of clientservices. Referring to FIG. 7 for illustrative purposes: The validationof clients 250 as disclosed in section 5, the enumeration of availableIEs given the clients credentials 252 (section 5), and the generalclient account and credentials subsystem 254 containing an accountdatabase 255 with account info for each valid client account

Associated with each client account 256 is a record in the accountdatabase 257 containing specific information about the account, andsubsystems 258 for cache management 260 and billing/logging 262. Eachclient account record 257 in the database 255 contains at least thefollowing fields:

-   -   Client login    -   Account Holder Name    -   Status of account    -   List of credentialed IEs

The “client login” is the “user-id” used to validate the client account,while the “account holder name”, is the actual name of the person towhich the account is assigned. The “status of account” indicates if theaccount is valid and credentialed. Finally, the database maintains alist of isolated environments to which the user is credentialed. Thislist is presented to the user when requesting Client IE enumeration 252as disclosed in section 5.

Associated with the client account are also the caching subsystem 260and the billing and logging subsystem 262.

6.3 Update-Cache subsystem for Isolated Environments.

When a client requests access to a credentialed isolated environment,the IE is streamed in its entirety if not already present on the clientsystem, or the client IE is selectively updated with changes asappropriate. In the following, the details on these steps are disclosed.

By way of example, a typical Microsoft Office 2003 installation consistsof approximately 1800 files with a combined size of about 315 MB. Someof the largest files are Word at 12 MB, Excel at 10 MB and PowerPoint at6 MB. On a typical 1 Gbit/sec corporate network a typical goodtransmission rate is about 100 MB/sec, but can be significantly less. Atypical ADSL connection runs at 1.5 Mbit/sec or 150 kB/sec and can beless.

The one-time installation of the entire environment with Office 2003therefore typically takes about 3.1 sec or longer over corporatenetwork. Over ADSL the Office IE takes 35 min or longer. While the 3.5seconds on the office network is acceptable, the 35 minutes for ADSLaccess is not practical. The present invention includes anupdate-caching subsystem ensuring that only changed files are streamedto the client, and furthermore, that the streaming is compressed whenappropriate.

FIG. 7 illustrates by way of example embodiment the update-cachemanagement and its relation to the isolated environments. For eachclient account 256 in the client database 255, the present inventionmanages 260 the IE update-caches. Each IE credentialed for a particularuser, has an update—cache associated with it for that user. Referring toFIG. 7, for client ‘m’ IE-1 266 is streamed subject to its update-cache264, while IE-2 270 is streamed subject to its update-cache 268. If aparticular IE is used by multiple clients, each client account 256maintains its own update-cache for the particular IE.

To reduce the need to stream files already present on the clientcomputer an update-cache is employed for each IE. The update-cachecontains pre-computed information assisting in quickly indentifyingwhich files have changed since last time the IE was accessed; therebyreducing unnecessary streaming of IE files.

The update-cache for a particular IE is comprised of a list of records,called “CacheLine”, where each record corresponds to one file within theisolated environment. The data structure for “CacheLine” in pseudo code:

Class CacheLine {

-   -   String m_FileName;    -   String m_Directory;    -   Time m_LastChangeTime;    -   long m_FileSize;    -   int[MD_SIZE] m_MessageDigest;    -   boolean m_CompressionOn;    -   int m_MessageDigestAlgorithm;    -   int m_CompressionAlgorithm;

};

The field “m_FileName” is the name of the file, and m_Directory thedirectory location of the file. The combination of “m_FileName” and“m_Directory” uniquely identifies the file. The field “m_LastChangeTime”is the time at which the particular file was most recently changed,updated or created, and “m_FileSize” is the size of the file.

To make the update-cache efficient, the present invention pre-computes a“m_MessageDigest” representing the file. The message digest is a 128 bitor longer integer calculated in a manner to ensure that two differentfiles have different message digests. Message Digests are well knownwithin the art. Commonly deployed digests are MD5 (“Message-Digestalgorithm 5” of size 128 bit), MD6 (Message-Digest algorithm 6 withsizes up to 512 bits), and SHA-n (Secure Hash Algorithm ‘n’ with sizesup to 1024 bits). The message digest is used as part of the validationto see if a particular file should be streamed to the client. Apractical issue is hash collision, where two different files produce thesame hash value. SHA-2 has no known hash collisions and is the defaultin a preferred embodiment. To further reduce the risk of ahash-collision possibly affecting the update-caches, the size of thefile (m_FileSize) and the time stamp of the most recent file change(m_LastChangeTime) are also used in the comparing against theupdate-cache.

All supported Message Digests Algorithms are predefined as integers andthe one used encoded in the field ‘m_MessageDigestAlgorithm”.

Another field “m_CompressionOn” determines if compression is used forthe particular file corresponding to the CacheLine. Depending on filesize, network bandwidth and available CPU cycles, files may selectivelybe compressed prior to being streamed to the client. All supportedcompression algorithms are pre-defined as integers and the one usedencoded in the field “m_CompressionAlgorithm”. Compression algorithmsare provided as part of modern operating systems such as Windows andLinux. In a preferred embodiment, the operating systems defaultcompression algorithm is used. In an alternate embodiment a customizedcompression algorithm is used. A wide selection of open source andcommercial no-loss compression algorithms exists, including but notlimited to LZ, LZR, LZX, PKZIP, GZIP and ZIP. In a preferred embodiment,files are automatically compressed if the network operates at less than1.5 mbit/sec and the file size is greater than 1 MB. In an alternateembodiment every file is compressed. In another alternate embodiment nofiles are compressed.

Creating and Updating the Update-Cache:

The Havemose reference cited above and included in its entirety, teachcreation and updating of isolated environments. The IE's associatedupdate-cache is generated after install/update as follows (in pseudocode)

For each file in the isolated environment

{

-   -   Identify CacheLine corresponding to file or create a new        CacheLine    -   Update CacheLine with    -   {        -   FileName, m_Directory,        -   m_LastChangeTime, m_FileSize        -   Compute message digest:        -   set m_MessageDigest        -   set m_MessageDigestAlgorithm        -   Compute if the file should be compressed:        -   set m_CompressionOn        -   set m_CompressionAlgorithm    -   }    -   Remove any CacheLine entries no longer used

}

When creating a new Isolated Environment and installing applicationswithin the IE, all CacheLines in the update-cache are new. The abovelisted set of instructions thus creates the update-cache with all newelements.

By way of example, after applying a software patch, the update-cacheneeds to be updated. A software patch generally modifies, adds andremoves files, and the update-cache is updated to reflect the changes.Referring to the pseudo code above: CacheLines corresponding to newfiles are added, CacheLines corresponding to modified files arere-computed and updated, and CacheLines corresponding to now-deletedfiles are removed. Files unaffected by the software patch are leftunchanged in the update-cache. Similarly the update-caches are updatedafter a patch to the operating system.

Client Synchronization with the Update-Cache.—Optimized Streaming

Optimized streaming, where the fewest possible files are streamed fromthe IESS to a client requesting the use or update of a particularisolated environment, is achieved by using of the update-caches on boththe client and the IESS

FIG. 8 illustrates by way of example embodiment 280 the optimizedstreaming process. A client 282 with one IE 284 and its associatedupdate cache 286 (named u-cache on the diagram) is connecting to theIESS with a CPM 288. The client account 290 within the account databasecontains, as previously disclosed, the account record 290 and the cachemanagement 294 for the update-cache 296 associated with the clientaccount 290 and the particular IE 298

To determine which files within the IE 298 on the IESS have beenmodified since the client last connected, the Cache Mgr 294 compares theclient's u-cache 286 with the corresponding update-cache 296 on theIESS. The entire process is as follows:

Initially, the client and the IE are credentialed against the CPM aspreviously disclosed 300. The client 302 requests an update of the IEand transmits the client's u-cache to the CPMs cache mgr 304. TheCacheMgr's traverses the update-cache one CacheLine at a time 306 andcomparing against the u-cache received from the client 302. First test308 is to see if the current CacheLine is present in the client'su-cache. If the CacheLine is not in the u-cache, it signifies a new filein the IE, and the file corresponding to the CacheLine is prepared to betransmitted to the client 312. If the CacheLine exists in the u-cache, asecond test is performed. The second test 310 is to see if the CacheLineentry has been updated when compared to the corresponding u-cacheCacheLine. If the IESS CacheLine indicates a change has been made, thefile corresponding to the CacheLine is prepared to be transmitted 312 tothe client. If the CacheLines are identical in the update cache andu-cache, no further steps on this CacheLine are necessary.

The second test 310 to see if two CacheLine Entries are identical isperformed as follows: The client u-cache and the update-cache CacheLinesare considered identical if all of the following are identical:m_FileName, m_Directory, m_LastChangeTime, m_FileSize, andm_MessageDigest. If one or more of said fields are different, the entryis deemed not too match.

The final step after identifying a file for transmittal to the client312 is to test if the file should be compressed 314 per the field in theCacheLine. If the file is to be compressed 316, it's compressed 316 andtransmitted 318. If compression is not activated, the file istransmitted 318.

Upon completing the comparison of the client's u-cache with theupdate-cache 304, the update-cache is sent to the client 320

On the client, all new files are received 322 and copied into theenvironment 324. Finally, the u-cache is replaced with the update-cachecorresponding to the just—completed update 326. The final step is tosynchronize the client's new u-cache against the client's IE and removefiles no longer included in the u-cache 326. If the client immediatelyreconnected 300,302 the update process 304 would detect no new files andthe update process would be instantaneous.

In continuation of the example above, a typical Microsoft Officesecurity patch modifies few of the 1800 files in full installation ofOffice. By way of example, if 50 files are modified only those 50 filesneed to be streamed to the client, corresponding to less than 3% of thetotal installation. This reduces the ADLS update from 35 minutes to 1minute, which is a practical delay to install a patch over a slowernetwork.

7. Online and Off-Line Client Operation

The present invention supports two modes of operation: an “off-line”mode of operation where the client runs an already-installed isolatedenvironment without connecting to the IESS, and an “on-line” mode wherethe client is fully validated and updates automatically are streamed.

By way of example, a user connects with the present invention while atthe office, retrieves and updates all credentialed IEs and works withthe applications within the IE as if they were locally installed. Laterthe user is travelling and loads the present invention again. This timethe user selects the “off line” mode of operation. In stead of gettingcredentialed by the IESS, the user simply runs the applications withinthe already installed IEs. No updates are forced and no changes arestreamed. The “off-line” mode allows the user to work without needingnetwork access.

FIG. 6 illustrates by way of example embodiment the user-settings foroff-line and on-line operation. If the user checks the “off-line”checkbox 257, the system defaults to off-line mode, while de-selectingthe “off-line” checkbox leaves the present invention in on-line mode.Using the underlying operating system, it is easy to detect if there isa network connection available. By way of example this can be achievedby attempting to open an http: connection to a well known web site suchas www.yahoo.com or www.whitehouse.gov and process any error messages.If no network connection is found, the IEI is set to “off-line” and the“off-line” checkbox is automatically set. Furthermore, if a networkconnection is found, but the IESS is unreachable, the off-line mode andthe “off-line” checkbox are likewise automatically set.

FIG. 9 illustrates by way of example embodiment 340 the launchprocedures for both off-line and on-line modes. The user starts theisolated environment 342 on the client computer. The IEI auto-detectsnetwork availability 344 followed by testing the outcome of theauto-detection 346. If no network is available, the IEI enters off-linemode 348 and presents the user with already credentialed IEs availableto run 350. The user chooses an IE 351 (also FIG. 6 252) and runs thechosen IE. When finished, the IE terminates 352.

If the network is available on-line mode is enabled 354 and the user canchoose to operate in on-line or off-line mode 356. If the user choosesoff-line, the user is presented with the list of already credentialedIEs 350 available to run 351. The user chooses an IE 351 and the IE isrun. If the user chooses to proceed in on-line mode, the steps outlinedin section 5 and FIG. 5 are followed 358, 360. Upon finishing, the IEIexits the IE 352

8. Administration

The present invention provides administration for both clients and theIESS. Administration on the client is a matter of installing the IEI andthe user account name; all other administrative options are containedand controlled on the IESS.

FIG. 10 illustrates by way of example embodiment 380 a flow chart of thevarious administrative options. Administration 382 falls in two broadcategories: administration of settings related to a particular user andadministrative settings related to all isolated environments. First stepis to choose 384 between administration of client settings and thegeneral IESS settings. For client administration 386. If the IEI is notinstalled on the client device 388, it is installed and the user accountinfo is provided 390. If the client IEI is installed, any updates to theIEI infrastructure is performed 392. This is followed for both cases bygeneral client account administration 394. All information provided inthis step is stored in the record for the particular account. For aparticular client the administrative options include but are not limitedto:

1. add a new client

2. remove an existing client

2. add credentialed IEs for use by the client

3. remove credentialed IEs for use by the client

4. force a rebuild of update-cache for one or more of the clients IEs

5. set client login, and account holder name

6. set status of account (active, not active)

The account information govern the client credentialing processeddisclosed above

For general IESS administration 396 the administrative options 398include but are not limited to:

1. creation and installation of an isolated environment

2. removal of an isolated environment

3. updated/patch software within an isolated environment

4. rebuild one or more of the update-caches

5. set the default compression algorithm

6. set the default message digest algorithm

In a preferred embodiment the administration is performed using agraphical user interface. In an alternate embodiment, as softwareapplication programming interface (API) is used.

9 Usage Billing Overview

The Havemose disclosures, included in their entirety by reference, teachlayered interception for multi-process multi-threaded applicationgroups. The following disclosures build on said layered interceptionssystem and methods to add fine-grained usage billing

FIG. 11 illustrates by way of example embodiment 420 an applicationgroup 422 and the integration of the billing subsystem. The billingsubsystem is comprised of a local billing manager 426 and billinginterceptors 434. FIG. 11 is carried over from the Havemose FIG. 11 andupdated with the new billing components. The following disclosures focuson the new billing elements and any changes in control and data flow.

By way of example, the application group 422 consists of one applicationA1 430. Multiple applications are handled in a similar manner. TheApplication Group Control Process (AGCP) 424 launches 428 Application A1430 and launches the local Billing Manager 426. The AGCP 424 loads 450the barrier 452 for the application group. As part of the load process,the AGCP 424 preloads the interceptors 432, including the InterceptionLayer (IL) 446, for each application process, the billing interceptors434 and the checkpointer library 438 for each application process. Theapplication process interception layer 432, the billing interceptors 434and the checkpointing library 438 are shared libraries and pre-loadedtogether. In an alternate implementation, the application processinterception layer 432, the billing interceptors 434, and thecheckpointing library 438 are combined into one shared library. Alllibraries operate within the address space of the application processwhere they were loaded.

FIG. 11 illustrates by way of example an Application A1 430 with oneprocess and one corresponding application interception layer 432, onebilling interceptor 434, and one checkpointing library 438. Multipleprocesses are handled in a similar manner with each process having acorresponding application process interception layer, billinginterceptor, and checkpointing library. As taught in Havemose, theInterception Layer for an application is comprised of the individualapplication process interception layers. To distinguish betweeninterception inside the application process interception layer 432 andthe resource re-mapping functionality managed by the interception layer,the Interception Layer 446 is depicted separately on the diagrams. Inthe preferred implementation, the resource remapping functionalitywithin IL 446 is embedded within the application process interceptionlayer 432 and is executed after the checkpointing interceptors return440 to the application process interception layer 432.

As part of loading and initializing the application A1, AGCP 424 furthercreates a dedicated checkpointing thread for each process in theapplication group. FIG. 11 illustrates by way of example a one-processapplication A1 with one corresponding checkpointing thread 431.Multi-process applications are handled in a similar manner with onecheckpointing thread created per process. As processes are created andterminated, checkpointing threads are added and removed as necessary asdisclosed in Havemose. As part of initializing the checkpointing library438, the checkpointing library registers 456 the current process withthe checkpoint barrier 452 The registration ensures that the currentthread and process is included in the barrier, and ensures that thecurrent process' checkpoint thread 431 is called as part of the barrierThe billing interceptor 434 run within the address space of theapplication process 430 and are automatically included in thecheckpoints.

The Interception database IDB 448 is global to all application groupswithin the isolated environment. If the IDB 448 has not been loaded, theAGCP 424 launches the IDB 448 prior to the performing the load processdisclosed above.

The checkpointer, billing interceptors and the isolated environment allneed access to all intercepted functions. In general, the checkpointeroperates on the running application and utilizes interception to captureresource and their usage. The isolated environment utilizes theinterception to re-direct resource usage to the isolated environment,and the billing interceptors add billing counters to a variety of systemcalls. By way of example, and not limitation, when application A1 430reaches function ifunc( ) 460, which is subject the interception, thefunction ifunc( ) 460 is intercepted 462 and re-directed to theapplication process interception library 432. At this point ifunc( ),its context and parameters reflects the actual running applicationprocess. The intercepted call is first processed by the billinginterceptor 434, then forwarded 436 to the checkpointing library 438,where all relevant stack information is saved. If ifunc( ) changes theprocess hierarchy, the change is communicated 454 to AGCP 284 in orderto have AGCP 424 preload or remove the interceptors as previouslydisclosed. Control is then returned 440 to the application processinterception layer 432. The application process interception layer calls442 to the Interception Layer (IL) 446. The IL 446 remaps resourcesusing the Interception Database 448 as disclosed in Havemose. Adjustedresources or data are returned 444 to the interceptor and sent back 464to the calling application process via the return of ifunc( ).

10. Usage Billing Details

Usage billing requires sampling and monitoring of application groupexecution. By way of example, an application user may be billed based onone or more of amount of CPU time used by the application, amount ofresources required, number of open files, number of concurrent users,number of transactions, number of processes, and the number of time theapplication has been run.

The billing interceptors 434 run as part of the application group'sapplication processes and are only activated when an interceptedfunction is called. This makes the billing interceptors especiallyefficient for capturing data related to resource usage, transactions orany other activity triggered by the application. FIG. 12 illustrates byway of example embodiment 480 this in detail. Continuing with theexample embodiment from FIG. 11 but reducing it to the essentialelements related to the billing subsystem, the AGCP 482 launches theapplication A1 484 and the local billing manager 492. The interceptorsconsists of the application process interception layer 486 and thebilling interceptors 488.

The billing interceptors 488 are broken down into one or more sub-groups490. Example sub-groups include but are not limited to “filesopened/used”, “transaction count”, “user count”, and “resourcesused/opened”. By way of example, the “files opened/used” interceptorintercepts all calls that open files, such as open( ) and fopen( ), andincrements counters each time a new file is opened.

The interceptor keeps track of the billing information using a datastructure. Example data structure in pseudo code

Class BillingEvent

{

-   -   Int m_InterceptorID;    -   BigInteger m_UseCount;    -   BigInteger m_DataAmount;

}

Where BigInteger designates an arbitrary precision integer data type.Such are provided in Java by BigInteger and the equivalent classes andlibraries in C and C++. All that is required is that they can fullyrepresent m_UseCount and m_DataAmount. The m_InterceptorID is an integerassigned to each interceptor at development time enabling the LocalBilling Manager to determine which interceptor generated a certainbilling event.

By way of example, if the application A1 484 executes the followingcode:

int main(void)

{

-   -   char const*pStr=“small text”;    -   FILE *fp=fopen(“/home/user/newfile.txt”, “w”)    -   if (fp !=null)        -   fwrite(pStr, strlen(pStr),1,fp);    -   fclose(fp)

}

The billing interceptor 490 for fopen( ) would increment its m_UseCountcounter by one indicating the use of a file, and the interceptor forfwrite( ) would increment its m_UseCount by one and it's m_DataUsed by“strlen(pStr)*1” bytes, corresponding to the number of bytes written.Other function interceptors work in a similar manner.

Upon completing the interception the interceptor forwards 491 theBillingEvent to the Local Billing Manager's 492 “Pending Billing Events”message buffer 495. In a preferred embodiment the BillingEvent isforwarded using sockets. In an alternate embodiment named pipes areused. In yet another alternate embodiment IPC is used.

FIG. 12 illustrates by way of example embodiment 491 the local billingmanager and its components. The billing manager 491 is comprised of thebilling aggregation subsystem 494, the profiling for the applicationgroup 496, and the “pending billing events” message buffer 495. Certaintypes of application measurement, such as amount of CPU time and memoryusage are measured on an ongoing basis independent of the billinginterceptors. The AG profiling system 496 measures the amount of CPUtime used by each of the processes of the application group By way ofexample, the amount of CPU time taken by a process may be determinedusing the POSIX function times( ). The profiling subsystem 496 builds aBillingEvent with a pre-designated m_InterceptorID, and places it in thepending billing events message buffer 495 for processing by the BillingAggregation subsystem. In the preferred embodiment where the billinginterceptors 490 communicate with the local billing manager 492 usingsockets, the pending billing events message buffer 495 is the bufferprovided by the listening socket. In the alternate implementation wherethe messaging use named pipes, there is one named pipe for communicationfrom the billing interceptors 490 and another named pipe forcommunication from the AG profiling 496. The figures and text describesone pending billing event message buffer, but it is understood thatdepending on implementation there may be more than one. The followingexample embodiments continue to describe the event processing using onebuffer. Multiple buffers are handled in a similar manner with the samealgorithm.

The Billing aggregation subsystem 494 process all incoming BillingEventsand keeps a running total for each m_InterceptorID. The billingaggregator 494 maintains an array of all Billing Events and updates thearray as new BillingEvents come in. The Billing Aggregation 494 isdescribed by the following pseudo code:

Initialize BillingEventArray and

-   -   set all counters to zero.

Wait for (events in pending BillingEvent buffer)

{

-   -   Remove BillingEvent from incoming buffer    -   Find element in BillingEventArray    -   with m_InterceptionID equal to the    -   BillingEvent. m_InterceptorID    -   Update said BillingEventArray element with    -   data from BillingEvent

}

At all times the Billing Aggregation 494 has, subject to processing ofpending incoming Billing Events 495, an up-to-date view of billableevents and thus has all the data to generate true usage-based billing.

If an isolated environment contains multiple applications, there is oneapplication group control process for each application and each AGCPlaunches its own Local Billing Manager.

11. Aggregation of Usage-Billing Data Across Multiple IsolatedEnvironments

The teachings so far using a combination of interception and profiling.The local billing manager within each isolated cover collection of usagebilling information within an isolated environment environmentscommunicate the usage billing information to a Central Billing Manager,responsible for aggregation across all running isolated environments andapplications.

FIG. 13 illustrates by way of example embodiment 500 the aggregation ofbilling data across multiple applications and isolated environments. Byway of example, and not limitation, the Central Billing Manager (CBM)503 is located on the IESS 502. This is just an example; the CBM 503 mayreside on any server on the network. A server 504 hosts two isolatedenvironments with associated applications, IE1 506 with applicationApp1, and IE2 508 with application App2. A second server 510 hosts twoisolated environments with associated applications, IE3 with 512 withapplication App3 and IE4 514 with App4. App1, App2, App3 and App4 may beany application provided by the IESS 502 using the teachings above, thusthe application may all be the same, all different or a combinationthereof. Within each isolated environment the local billing managercollets usage data as previously disclosed.

Using the same algorithm and with an extended message structure thelocal billing manager forwards its aggregated billing information to thecentral billing manager 503. One additional field is added to theBillingEvents to form the BillingManagerEvents

Class BillingManagerEvent

{

-   -   Int m_InterceptorID;    -   BigInteger m_UseCount;    -   BigInteger m_DataAmount;    -   String m_ClientLogin;

}

Where m_ClientLogin is the user name corresponding to the isolatedenvironment. This uniquely identifies the party responsible for thebilling event, i.e. the Client, and the type of billing event.

The message format disclosed above thus enables the CBM 503 toaccurately aggregate billing information both by client and by isolatedenvironment.

In a preferred embodiment the local billing manager sends theBillingManagerEvents to the central billing manager using sockets. In apreferred embodiment, the local billing manager aggregates billingevents on a user-configurable timer.

FIG. 13 illustrates an example with two servers. Any number of serversis handled in a similar manner. FIG. 13 illustrates an example with twoisolated environments per server; any number of isolated environmentsfor a server is handled in a similar manner. Similarly, FIG. 13illustrates one application per isolated environment; any number ofapplications is handled in a similar manner.

As disclosed for the Local Billing Manager, the CBM 503 process allincoming BillingManagerEvents using the same algorithm disclosed above,to build a complete billing history for all isolated environments byclient and by Billing Event. This provides very fine grained usagebilling of running applications. At any point in time the CentralBilling Manager thus has all usage data available and can generateusage-billing in real-time.

The usage billing provides detailed usage by client and usage type. Saidbilling details may be provided as XML structured data, Microsoft Excelformat or any other pre-defined export format.

12. Deployment Scenarios

FIG. 13 further illustrates by way of example embodiment 500 a varietyof ways the invention can be configured to operate.

In one embodiment, the invention is configured with the IESS on acentral server 502. Two application servers 504, 510 have theirapplications and isolated environments 506, 508, 512, 514 streamed fromthe IESS 502 and are serving the applications to clients over the LAN501. In this embodiment a PC 516 on the LAN access the hostedapplications 506, 508, 512, 514. In another embodiment a PC 518 accessthe hosted applications 506, 508, 512, 514 over the internet 520 In athird embodiment, the invention is configured to serve applications 506,508, 512, 514 to a cell phone or PDA 524 accessing the applications overa wireless 522 internet 520. The invention runs on one or more of thedevices, can be distributed across two or more of these elements, andallows for running the invention on any number of the devices at thesame time and without interfering with each other.

The just illustrated example embodiments should not be construed aslimiting the scope of the invention but as merely providingillustrations of some of the exemplary embodiments of this invention

13. Usage Billing Without Isolated Environments

The teachings above are built on the layered interception disclosed inHavemose. While the teachings above are presented in the context of theisolated environments, the billing system and methods only rely on thelayered interception, and the disclosed messaging and data structures.

The local billing manager inserts the client login into theBillingManagerEvents it generates. For embodiments without isolatedenvironments, the client login is replaced with the account login asfound on all Windows, Linux and UNIX platforms. The teachings in anyother way remains the same.

The teachings regarding usage billing thus apply to all applications,not just applications running within isolated environments.

14. Conclusion

In the embodiments described herein, an example programming environmentwas disclosed for which an embodiment of programming according to theinvention was taught. It should be appreciated that the presentinvention can be implemented by one of ordinary skill in the art usingdifferent program organizations and structures, different datastructures, and of course any desired naming conventions withoutdeparting from the teachings herein. In addition, the invention can beported, or otherwise configured for, use across a wide-range ofoperating system environments.

Although the description above contains many details, these should notbe construed as limiting the scope of the invention but as merelyproviding illustrations of some of the exemplary embodiments of thisinvention. Therefore, it will be appreciated that the scope of thepresent invention fully encompasses other embodiments which may becomeobvious to those skilled in the art, and that the scope of the presentinvention is accordingly to be limited by nothing other than theappended claims, in which reference to an element in the singular is notintended to mean “one and only one” unless explicitly so stated, butrather “one or more.” All structural and functional equivalents to theelements of the above-described preferred embodiment that are known tothose of ordinary skill in the art are expressly incorporated herein byreference and are intended to be encompassed by the present claims.Moreover, it is not necessary for a device or method to address each andevery problem sought to be solved by the present invention, for it to beencompassed by the present claims. Furthermore, no element, component,or method step in the present disclosure is intended to be dedicated tothe public regardless of whether the element, component, or method stepis explicitly recited in the claims. No claim element herein is to beconstrued under the provisions of 35 U.S.C. 112, sixth paragraph, unlessthe element is expressly recited using the phrase “means for.”

What is claimed is:
 1. A system, comprising: one or more servers thathost isolated environments, comprising application files on one or morehosts with host operating systems, and their applications; one or morebilling interceptors configured to load into one or more of addressspaces of the hosted applications or address spaces of the hostoperating systems upon execution of each of the hosted applications; andat least one central computing device configured to operate a centralbilling manager.
 2. The system according to claim 1, comprising at leastone local billing manager for each application within one of theisolated environments, wherein for each application within an isolatedenvironment the local billing manager performs at least one of:aggregates all received billing events into one or more billing managerevents and adds a client login to the billing manager events.
 3. Thesystem according to claim 2, wherein the local billing manager inserts aclient login in all billing events prior to the billing manager eventsbeing sent to the central billing manager.
 4. The system according toclaim 1, wherein the central billing manager sorts billing managerevents by client login and interception identifier (ID).
 5. The systemaccording to claim 1, wherein the central billing manager produces abilling summary in one of XML, Microsoft Excel and a custom exportformat.
 6. The system according to claim 3, wherein said billing eventsare sent to the central billing manager via at least one of: sockets,named pipes, and an inter-process communication (IPC).
 7. The systemaccording to claim 1, wherein the one or more billing interceptors areconfigured to intercept access to at least one or more of the followingsystem resources: application execution time used, application storageused, number of open files by application, number of records in adatabase, and number of times the application has been launched.
 8. Thesystem according to claim 1, wherein the central billing manager tracksbilling manager events via the billing interceptors.
 9. The systemaccording to claim 1, wherein the billing interceptors intercept atleast one of a number of resources open, a number of open files, anumber of transactions, a number of concurrent users, a number ofprocesses, and an amount of data that flows through a resource.
 10. Thesystem according to claim 2, wherein the local billing manager profilesthe applications, creates one or more billing events based on saidprofiled applications, and aggregates billing information.